Hi all, what is the best practice to handle secret...
# general
Hi all, what is the best practice to handle secrets generated in pulumi for ephemeral env? For ex. I want to create new instance of mssql server on Azure with admin password in pulumi. One way which comes to my mind is to handle it with Azure Key Vault to not loose this password but maybe there is better approach which works natively with pulumi. Thanks
you can use an encrypted pulumi secret
our approach is use pulumi.random to generate the password, and put it in a keyvault
also you might want to use an azure ad group instead of a single user as the admin
so that you can add yourslef to it and log in for troubleshooting
ok thanks, I also thought about AD it, but in my case it look as too big overhead. What do you mean by
encrypted pulumi secret
is there any api to add entries to Pulumi.stack.yaml? or generating passwords outside of pulumi and pass to it on
pulumi up
with --secret?
yeah you can do pulumi config to set a secret
and it will make an entry you can retrieve as normal
but it will be encrypted in the yaml
sorry, you mean to do it with
pulumi config set
command right?
ah ok thanks
iirc its --secret
If you want to ceate the secret programmatically, you can use the
function and it'll be encrypted in the state file, just like the CLI does. This combines nicely with what Oliver suggested, eg generating it with the random package.
yes, right. it looks like simplest option, thanks